review.opendev.org SSH key change?

Jeremy Stanley fungi at yuggoth.org
Mon Sep 14 13:48:04 UTC 2020


On 2020-09-14 13:00:58 +0100 (+0100), Sorin Sbarnea wrote:
> I am in favor of doing a key sync as this would be the least
> intrusive for the user point of view.
> 
> Having the SSHFP is a good measure and improves security far more
> than the issue of having the key synchronized.
[...]

We ended up solving it by having the SSHFP records for
review.opendev.org reflect the mina-ssh based Gerrit API listener on
29418/tcp, while the SSHFP records for review01.opendev.org (the
server's canonical name) correspond to the OpenSSH listener for the
operating system itself on 22/tcp. It meant dropping the CNAME
indirection for the service name and just giving it A/AAAA records
directly, but that's not particularly inconvenient for us to manage
(they're effectively adjacent lines in the same zone file anyway).
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.opendev.org/pipermail/service-discuss/attachments/20200914/a942d4e3/attachment.sig>


More information about the service-discuss mailing list